The Federal Trade Commission had the first of three privacy roundtables yesterday, and I spoke on a panel about online targeted behavioral advertising. The other speakers on the panel were: Jeff Chester, Executive Director, Center for Digital Democracy; Dave Morgan, CEO, Simulmedia, Inc.; ZoÃ« Strickland, Vice President, Chief Privacy Officer, Walmart; Berin Szoka, Director, Center for Internet Freedom, The Progress & Freedom Foundation; Omar Tawakol, CEO, BlueKai; Craig Wills, Associate Professor, Computer Science, Worcester Polytechnic Institute; and Linda Woolley, Executive Vice President, Government Affairs, Direct Marketing Association. Moderators: Peder Magee and Michelle Rosenthal, Division of Privacy and Identity Protection, FTC.
A New York Times article on the roundtable quoted me about a fundamental issue that divides industry and consumer advocates: opt-in or opt-out. Opt-in, the choice of consumer advocates, puts the burden on companies to have strong privacy protections and use limitations so consumers will choose to share their data. Opt-out, the choice of the majority of ad industry players, puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt-out of this data collection, use and sharing.
I’ve written a lot about online targeted behavioral advertising and the possible risks for consumer privacy. Behavioral advertising, where a userâ€™s online activity is tracked so that ads can be served based on the userâ€™s behavior. Often, consumers do not understand they are being tracked or have a false belief in the security of their data.Â In September, theÂ New York Times reported on a newÂ survey (pdf) from researchers at the University of Pennsylvania and the University of California-Berkeley that found Â consumer Â confusion Â about Â how, Â when Â or Â if Â their Â data Â is Â protected. Â â€œAmericans mistakenly believe that current government laws restrict companies from Â selling wideâ€ranging data about them. When asked trueâ€false questions about companiesâ€™ rights Â to share and sell information about their Â activities online and off, respondents on average answer only 1.5 Â of Â 5 online Â laws Â and Â 1.7 Â of Â the 4 offline Â laws Â correctly Â because Â they Â falsely Â assume Â government regulations prohibit the sale of data.â€
Even people knowledgeable about privacy laws are confused by privacy policies.Â In anÂ August 2009Â interview withÂ the New York Times, FTCÂ BureauÂ of ConsumerÂ Protection DirectorÂ David VladeckÂ said, â€œIâ€™m a lawyer,Â Iâ€™ve beenÂ practicing law for 33 Â years.Â I canâ€™t Â figure out Â what the hell these [noticeÂ and consentÂ disclosure forms] meanÂ anymore. And I donâ€™tÂ believeÂ thatÂ most consumersÂ eitherÂ read them, or, Â ifÂ they readÂ them, really understandÂ it.â€
And consumers don’t want to be tracked. The Penn-Berkeley study found,Â â€œContrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages â€” between 73% and 86% â€” say they would not want such advertising.â€
In April, University of Southern Californiaâ€™s Center for the Digital Future found in its eighth annual â€œSurveying the Digital Futureâ€ project (pdf) that â€œalmost all respondents continue to report some level of concern about the privacy of their personal information when or if they buy on the Internet.â€ Ninety-three percent of respondents â€œreported some level of concern about the privacy of personal information (somewhat, very, or extremely concerned).
U.S. lawmakersÂ have called for new rules to protect Web site usersâ€™ privacy, and the online behavioral advertising industryÂ has agreed to new, voluntary regulations â€” thatÂ still fall short in privacy protections.
I have joined a coalition of consumer advocacy organizations in urging Congress to enact legislation to protect consumer privacy in response to threats from the growing practices of online behavioral tracking and targeting. We need strong privacy-protective federal legislation, which will not preempt state privacy laws. The legislation needs to be based on the Fair Information Practices and OECD Principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
And there needs to be a much better definition of “sensitive data” than the definition set out by the industry groups (pdf).Â The principlesÂ askÂ industry members not Â to collectÂ â€œsensitive Â data,â€ which the industry construes asÂ (1) â€œpersonalÂ informationâ€Â of children under age 13Â and (2)Â â€œfinancial account numbers,Â SocialÂ Security numbers, pharmaceutical Â prescriptions, or medical recordsÂ aboutÂ aÂ specificÂ individual.â€Â TheÂ principles do allow forÂ the collection and use ofÂ theÂ secondÂ category â€“Â healthÂ and financialÂ dataÂ â€“ ifÂ aÂ user consentsÂ to the collection andÂ use.
The industry’s self-regulatory principles would permit widespread data collection involvingÂ personal information regardingÂ ourÂ health andÂ financialÂ concernsÂ basedÂ on consentÂ that isÂ gathered viaÂ complicated privacy noticesÂ andÂ the user consentÂ is mostÂ likelyÂ toÂ be unknowingÂ or confused.Â Sensitive data include at least data about health, finances, ethnicity, race, sexual orientation, personal relationships and political activity.
Among the main points that the coalition of consumer advocacy groups said should be included in consumer privacy legislation:
- Sensitive information should not be collected or used for behavioral tracking or targeting.
- No behavioral data should be collected or used from anyone under age 18 to the extent that age can be inferred.
- Web sites and ad networks shouldnâ€™t be able to collect or use behavioral data for more than 24 hours without getting the individualâ€™s affirmative consent.
- Behavioral data shouldnâ€™t be used to unfairly discriminate against people or in any way that would affect an individual’s credit, education, employment, insurance, or access to government benefits.